CS IP Filtering: start here

With Communications Server (CS) on z/OS, which I think of as the TCPIP started task, you can set up packet filtering. You define rules to allow or deny a packet into or out of TCP, based on criteria such as source IP address, destination IP port and address. The action can be to allow the packet into (or out of) TCP/IP, to quietly drop the packet, or to drop the packet but send an icmp response back to the originator. You can also log information about the packet. You could configure the rules so normal traffic is allowed access and not logged, but data from other addresses can be denied, and the event logged. You can review the traffic and set up rules to allow it, or to determine why someone is trying to access your system.

This is know as IPSECurity, and there is a product Vertali zTrust for Networks which interfaces to IPSEC and RACF to manage the environment using standard security tools.

There are three levels of rules

• Default – these are configured when the TCPIP address space starts – ensuring you do not have a window when there are no rules defined. This might be deny access to all, except the system programmers.
• From the Policy Agent – this is the normal source of rules.
• Defensive rules – you can create additional rules on the fly for when there is a problem. These rules can be configured to expire after a time period, for example 30 minutes.

Set up

You have to configure several address spaces, for example:

• TCPIP – to enable packet filtering, and to define the default(initial) rules.
• Policy Agent to define the rules used in normal operation.
• TRMD. This address space takes event information and writes it to the UNIX syslog daemon.
• SYSLOGD. This is a central service which is sent event data, and the daemon writes the data to one or more files – depending on the configuration and the originating program. Without this events are not logged.
• DMD – this processes the defensive rules and updates the TCPIP address space.

As usual there are started tasks to create, and define to WLM, security profiles to allow these started tasks to run, and profiles to allow users to administer IPSec packet filtering.

I have written some blog posts to help you navigate the journey. They are written to provide additional information to what is provided by IBM.

Blog posts

• Getting started
  • Planning the IP filtering rules
  • Defining rules with Policy Agent and avoiding the elephant traps. Such as It is easy to make your TCPIP instance totally inaccessible.
  • Common setup
  • Configuring TMDR – Traffic Management Daemon Regulation
  • Configuring Defence Manager Daemon (DMD) to allow short term defensive rules using the ipsec command
  • Change FTP to specify which ports it can use. Trying to use FTP.

• Defining rules
  • Allowing/denying packets flowing through z/OS
  • Use of DiscardAction to send an icmp response back
  • “standard IP flows”, for example for a ping or traceroute request; and OMPROUTE with OSPF
  • Adding default rules into the TCPIP address space for use before Policy Agent is active
  • Specifying IP addresses to Policy Agent
  • Testing the rules

• Operation
  • How to find which rules have been used
  • Understanding logged messages
  • Understanding the display output of the ipsec -f display command
  • Displaying the Policy Agent configuration – using pasearch
  • Defining dynamic rules for IP traffic. Creating short term defensive rules.
  • Writing a program to use Network management interfaces – consider using IPSEC -f command instead